With End-to-End Encryption, Whose End Is Getting Protected?
Written by Evan SchumanIn a piece last week, we talked about a series of future security offerings that Visa is pushing, including a comment from a Fifth Third Bank executive that end-to-end encryption has logistical challenges, especially “a tremendous key management issue.”
Although many readers posted comments on the story, some security specialists wrote in privately, fearful of challenging the processors they’re working with. But some of the comments were interesting enough that I wanted to share some of them with you anonymously.
One reader argued that Fifth Third’s resistance had much less to do with making life easier for retailers and more to do with minimizing the processor’s own liability. “Fifth Third sees a major transfer of card fraud liability shifting exclusively to them from the merchant who traditionally has (effectively) 100 percent of the liability. This dynamic would leave Fifth Third (and all acquirers) as the sole liability holder for all card fraud,” wrote one reader. “I can understand their concern. It is rational and it is well-founded.”
That reader also questioned Visa’s ideas about taking a card’s digital image and using it to authentify the card. “Last time I checked, (such a digital fingerprint) would be 54 bytes. Tell me how appending that large of a message set to Track II data can be ‘transparent’ to a merchant. There is a reason why a very good technology like (the digital signature) hasn’t gotten traction. Same reason why conventional encryption hasn’t gotten traction: it’s too disruptive to implement. Good news is that VISA understands the value of this approach. Bad news is that VISA is (once again) pushing a solution that the merchants will reject due to cost.”
The reality is that all of these approaches have their pluses and minuses—like everything else—and that all of the players have their public reasons for supporting approaches and their private reasons. But we still applaud Visa and Fifth Third for at least trying to think creatively. There’s no question that the processors—and Visa and, for that matter, Wal-Mart, Macy’s and Target—have their own objectives.
But if security is going to be improved before federal officials try and legislate the issue to death, we’re going to need creative approaches. Even expensive, time-consuming and inefficient approaches can be better than nothing new. We certainly wouldn’t suggest that retailers assume that Visa or Fifth Third are operating with the retailers’ best interests in mind, but if the ideas are workable, it’s at least a very good start.
-Marc
April 3rd, 2009 at 8:48 am
As a long time POS vendor of 20 years, it amazes me how Visa, MC and the bankcard processors continue to push for retailers and their IT vendors to spend millions upon millions of dollars without any hope of addressing the problem. While the continued security requirements improvements in store systems are a positive and necessary step in overall security, I liken it to having the retailers patch the hole at their end of the boat, while Visa, MC, and the banks watch the hole get bigger at their end of the boat. In the end, the boat will sink no matter how well the retailers and their vendors patched their hole!! End to end encryption is just a matter of time. My advice to the credit card industry is “Fix your hole before the whole damn boat sinks”!!
April 3rd, 2009 at 11:19 am
Thanks for the interesting articles on PCI. After reading all the background I am still a little confused as to the issues. First of all, I assume all legitimate players in the payment process would like to weed out the illegitimate players. Whether it is the cardholder, the processor, the lender, or the retailer, no one benefits from illegitimate transactions. So why wouldn’t everyone want to do what they can to prevent them? The obvious answer is that the cost of prevention is more than the cost of losses. This implies there is more than one solution required so that the cost of prevention can be scaled to the cost of losses. This works across several dimensions including product category, neighborhood, and type of retailer.
After reading through the various options being tested, I have to agree with the digital fingerprint approach. Security 101 will tell you there are three ways to verify identity: something they own, something they know, or something about them. For people, these are the card, the pin, and a bio tag such as finger print, voice print, eye scan, etc. For the physical card it has traditionally been the encoded data, the printed verification number, with nothing equivalent to the bio tag. That is the advantage of the digital finger print. The neat thing about this is that it does not require any changes in store procedures. The additional data is calculated by new readers and used internally. This allows the readers to be distributed to locations where high value product categories, neighborhood demographics, or retail establishment make it prudent.
The McDonald’s approach to all this seems to address a completely different issue. It seems to be more related to how the data is handled internally once a transaction has been executed. Instead of bringing the transaction data into McDonald’s applications, the POS system sends the transaction amount to the card reader and receives a payment authorization. All the transaction details are handled directly with the payment processor through logic and communication capabilities in the card reader. McDonalds knows nothing about the transaction details besides the authorization code. This seems a neat solution if you are worried about data security within a retail framework, but does not seem necessary if the data is secure within an organization. Perhaps the franchise model makes this type of solution more important, but it also needs to address the illegitimate card issue. Another aspect is that it insulates the McDonald’s payment process from future changes in PCI requirements, this might make it appeal to more users.
April 3rd, 2009 at 2:35 pm
Great discussion and analysis of why the encryption has not caught on. I agree with you that if the only option for security is these expensive options, then people will choose to be less secure…
April 3rd, 2009 at 5:42 pm
Cardholder data is vulnerable at all times before it is encrypted. It is un-encrypted on the card itself which makes all parties in the payment world vulnerable, even if their networks and servers are fully encryption secured. Cardholder data theft is not the real problem. It becomes the problem only because the data can be used to commit fraud. It’s more important to stop the payout of dollars (the fraud) than to stop the theft of data. This is the only practical approach once you recognize that you will NEVER be able to keep the track data secret from the criminals. At best, requiring the encryption of cardholder data protects the processor but does nothing to protect the cardholder. The criminals can still get the data; they just cannot get it as quickly or efficiently.
Encryption of data in motion is a good first step but it will not solve the problem. Two and a half billion payment cards are in circulation that all contain data in the clear. The magnetic stripe data is not secret. It is nothing more than a magnetic barcode – a series of zeros and ones, decodable by any first year computer science student. To ask the payment community to protect this data is an impossible task. Therefore other cost effective strategies will be required. Encryption of data will make it more difficult for thieves to steal the data, and it may contain the scale of a breach, but cardholder data is widely available from other skimming venues: pocket skimmers, false front ATMs, tampered POS terminals, unattended gas pumps, phishing and pharming sites, telephone scammers. The best way to protect cardholder data is encryption in conjunction with a robust authentication method. The Digital Image is such a method. You need to offer encryption as well as the ability to know that the reader, the card, the card data, the host, and the cardholder are genuine. This can be done with a one-time Digital Identifier that changes with each swipe. This process (the generation of a one-time authentication value – the DI) renders stolen cardholder data useless to the thieves. It removes the incentive to attack processors and merchants because the thieves can no longer profit from the data theft. Encryption makes theft more difficult, Authentication makes profit more difficult. It protects the Cardholder data even if it has been obtained by breach.
April 8th, 2009 at 4:22 pm
I would like to clarify a point about the digital image (54 bytes) increasing the size of the message. In an 8583 message (ISO POS message) the data length does not change – the digital image is imbedded in field 55. There is no change to length, but receiving party has to know to look for it and it is indeed transparent to the merchant.
April 11th, 2009 at 1:18 pm
Great discussion. The EMV standard 2010 sunrise dates in Iberia, Canada and Australia continue to move the US into the isolation zone when it comes to payment standards. Admittedly, the cost of the chip cards and reluctance on the issuing banks continues to be a hotly debated topic. I’m a fan of the segregation approach with solutions that have the encryption software running on the pin-pad device and POS simply initiates the request and waits for a response. No cardholder data enters the POS application or servers. It encrypts the authorization data and routes it to a central switch where alas…it must be decrypted before sending it off to the processor. The digital identifier is an interesting concept, similar to how we authenticate remotely into a network via VPN token. I’d be an even bigger fan if it could be done with just a software update loaded to the devices so we would not have to invest in replacing thousands of pin-pads, which wouldn’t happen unless there was some financial incentive in doing so.